A New Privacy-Preserving Handover Authentication Scheme for Wireless Networks

Handover authentication is a critical issue in wireless networks, which is being used to ensure mobile nodes wander over multiple access points securely and seamlessly. A variety of handover authentication schemes for wireless networks have been proposed in the literature. Unfortunately, existing handover authentication schemes are vulnerable to a few security attacks, or incur high communication and computation costs. Recently, He et al. proposed a handover authentication scheme PairHand and claimed it can resist various attacks without rigorous security proofs. In this paper, we show that PairHand does not meet forward secrecy and strong anonymity. More seriously, it is vulnerable to key compromise attack, where an adversary can recover the private key of any mobile node. Then, we propose a new efficient and provably secure handover authentication scheme for wireless networks based on elliptic curve cryptography. Compared with existing schemes, our proposed scheme can resist key compromise attack, and achieves forward secrecy and strong anonymity. Moreover, it is more efficient in terms of computation and communication.


Introduction
With the rapid development of the wireless internet access techniques, more and more mobile services have appeared, which provide a more convenient life to people. For instance, wireless local area networks (WLANs) offer convenient access to network services [1], vehicular ad hoc networks (VANETs) provide great opportunity for collaborative traffic information exchange [2], wireless sensor networks (WSNs) can monitor physical or environmental information in real time [3]. Handover authentication is essential to overcome the geographical coverage limit of each access point, which enables mobile nodes (e.g., Laptop, PDA, smart phone and vehicle) to securely and seamlessly roam over multiple access points [4].
Generally, a handover authentication scheme involves three participants: mobile nodes (MNs), access points (APs) and the authentication server (AS). An MN registers to the AS, and then connects to any AP to access its subscription services. An AP acts a guarantor for vouching for an MN as a legitimate subscriber. When an MN moves from the current AP (e.g., AP 1 ) into a new AP (e.g., AP 2 ), it will trigger the execution of handover authentication at AP 2 . Then, AP 2 verifies whether the MN is authorized user or not. If the MN is an unauthorized user, AP 2 will reject the MN's access request.
If the MN is an authorized user, a session key will be established simultaneously for protecting data traffic between the MN and AP2. Figure 1 illustrates a typical handover authentication scenario. Efficiency and security are two major challenges faced by researchers to design handover authentication scheme in wireless networks. On the one hand, the handover authentication process should be fast enough to cope with time limitation of handover, but MNs are generally constrained in terms of energy supply, bandwidth and processing capability. Therefore, a handover authentication scheme for wireless networks should be efficient in terms of communication and computation. On the other hand, security and privacy have become increasingly important in mobile computing, particularly in the context of handover authentication schemes as they relate to the MN's credential information.
As a promising seamless access control technology, handover authentication schemes have received much attention in recent years [4][5][6][7][8][9][10][11]. He et al. [4] proposed a smart-card based handover authentication scheme, which requires AP 2 to contact AS who vouches for the MN's legitimacy, and there are four messages exchanged between an MN, AP 1 and AP 2 when an MN moves from AP 1 into AP 2 . Obviously, this will result in more computation and communication delay, especially if the AS is often located in a remote location. Later, He et al. [5] proposed a privacy-preserving handover authentication scheme that AP 2 does not communicate with the AS, but there are still three message exchanges between the MN and AP 2 for mutual authentication and key establishment. To improve the communication efficiency and reducing the burden on the AS, He et al. [6] proposed a secure handover authentication scheme named PairHand. Instead of relying on the participation of the AS, PairHand only requires two handshakes between the MN and AP 2 for mutual authentication and key establishment. Furthermore, PairHand uses a pool of shorter-lived pseudonyms to protect users' privacy. Unfortunately, they soon found that PairHand is vulnerable to private key compromise attack [7], where an adversary can recover any MN's private key. He et al. [7] then proposed an improved PairHand by replacing the prime q order bilinear group with a composite n order bilinear group. However, Yeo et al. [8] showed that He et al.'s improved PairHand is still vulnerable to private key compromise attack, even worse, an adversary is able to compute the master key when prime factors of n are all relatively small. However, they did not give any effective solutions to resist a private key compromise attack. Subsequently, Tsai et al. [9] and Wang et al. [10] presented two handover authentication schemes from prime-order bilinear pairings to resist the private key compromise attack, respectively. However, both Tsai et al.'s scheme [9] and Wang et al.'s scheme [10] can not achieve forward secrecy and are vulnerable to known session key attacks. Recently, Li et al. [11] proposed a handover authentication scheme without bilinear pairings. However, Chaudhry et al. [12] found that Li et al.'s scheme cannot withstand access point impersonation attacks.
In this paper, we further analyze the security of the improved PairHand and show that the improved PairHand does not meet forward secrecy and strong anonymity. Next, we propose a new efficient handover authentication protocol without bilinear pairings that fixes the security flaws in PairHand. Our main approach is to integrate Pointcheval and Stern's blind signature scheme [13], Chatterjee et al.'s identity-based signature scheme [14], and Yasmin et al.'s identity-based authenticated key establishment protocol [15] into a handover authentication scheme. Compared to existing handover authentication schemes, our proposed scheme is more efficient in terms of computation and communication, and achieves escrow-free, MN forward secrecy, MN anonymity and untraceability. There is only one-pass message exchange between the MN and AP for mutual authentication and key establishment. In particular, batch verification for handover authentication is also achieved, and no bilinear pairing computation is required in our proposed handover authentication scheme.
This paper is organized as follows. We introduce some necessary preliminary work in Section 2. Next, we review He et al.'s improved PairHand and show that the improved PairHand can not satisfy required security properties in Section 3. We describe our new handover authentication scheme in Section 4, and present security and efficiency analysis of our proposed scheme in Section 5. Finally, we conclude our work in Section 6.

Preliminaries
To facilitate further description, we introduce notations in Table 1.

Bilinear Pairings and Complexity Assumptions
Let G 1 be an additive cyclic group generated by P, with prime order q, and G 2 be a multiplicative group of the same order q. A bilinear pairing is a mapê : G 1 × G 1 → G 2 with the following properties: Non-degeneracy:ê(P, P) = 1, where 1 is the identity element of G 2 .
Typically, G 1 will be a subgroup of the group of points on the elliptic curve over a finite field, G 2 will be a subgroup of the multiplicative group of a related finite field and the mapê will be derived from the Weil or Tate pairing on the elliptic curve.
Let E p (a, b) be a set of elliptic curve points over the prime field F p , defined by the non-singular elliptic curve equation y 2 = x 3 + ax + b mod p, together with a special point at infinity O, where a, b ∈ F p and 4a 3 + 27b 2 mod p = 0. This set together with the group operation of elliptic curve is an Abelian group, with the point at infinity as identity element.
Let P ∈ E p (a, b) be a point of prime order q, and G 1 be a subgroup generated by P, i.e., G 1 def = P . Definition 1. Given Q ∈ G 1 , the elliptic curve discrete logarithm problem (ECDLP) for G 1 is to find the integer x, 1 ≤ x ≤ q, such that Q = [x]P.
The advantage of an adversary A in breaking the ECDLP is defined by We say that the elliptic curve discrete logarithm assumption (ECDLA) holds for the group G 1 if, for any probabilistic polynomial-time adversary A, the advantage Adv ECDLP A (1 κ ) is a negligible function in the security parameter κ.
q , the elliptic curve computational Diffie-Hellman problem (ECCDHP) for the group G 1 is to compute [ab]P.
The advantage of an adversary A in breaking ECCDHP is defined by We say that the elliptic curve computational Diffie-Hellman assumption (ECCDHA) holds for G 1 if for any probabilistic polynomial-time adversary A, the advantage Adv ECCDH A (1 κ ) is a negligible function in the security parameter κ.

Pointcheval and Stern's Blind Signature Scheme
Blind signatures allow a user to obtain signatures from a signer on any message, in such a way that the signer learns nothing about the message that is being signed, and no one can derive a link between one of the messages which the signer has received and a valid blind signature, except the signature requester. Pointcheval and Stern [13] proposed an efficient blind signature scheme based on Schnorr signature scheme, which proved to be secure in the random oracle model under the ECDLA. Pointcheval and Stern's blind signature scheme is described as follows.
• Setup: A trusted authority generates an elliptic curve group G 1 of prime order q with a generator P, and publishes domain parameters params = P, q, G 1 , H 1 .
and sends the challenge c = c − β mod q to the signer. Then, the signer returns a values s = k + cx mod q to the requester. Finally, the requester verifies the following equation holds or not: If it holds, then the requester computes s = s + α mod q, and obtains a blind signature (c , s ) that is signed by the signer for the unknown message m.

•
Verify: Anyone can verify that the pair (c , s ) is a valid Schnorr signature of m since it satisfies Blind signature schemes have been widely used in systems that guarantee participants' anonymity. We will use the above blind signature scheme in our handover authentication scheme to guarantee MNs' strong anonymity.

Improved Galindo and Garcia's Identity-Based Signature Scheme
Galindo and Garcia [16] proposed a lightweight identity-based signature scheme named GG-IBS in Africacrypt 2009. It is recognized as one of the most efficient identity-based signature schemes until now because no complicated bilinear pairings are required in the GG-IBS scheme. We describe the GG-IBS scheme as follows.
• Setup: A trusted authority named PKG first generates an elliptic curve group G 1 of prime order q with a generator P, chooses s $ ← − Z * q and computes P pub = [s]P. Finally, the PKG sets the master secret key msk = s and publishes the master public key mpk = G 1 , q, P, P pub , H 1 , H 2 .
• Extract: A user submits a private key request with his/her identity information id ∈ {0, 1} * to the PKG. Upon receiving the request, the PKG chooses r id Finally, the PKG sends (sk id , R id ) to the user via a secure channel. Upon receiving the response message, the user computes c = H 1 (id, R id ) and checks the following equation: If it holds, the user keeps the tuple (sk id , R id ) as his/her identity-based signing private key. The corresponding public key can be computed as R id + H 1 (id, R id )P pub .

•
Sign: To sign a message m, the signer with identity id and signing private key sk id chooses a If it holds, the verifier accepts the signature and outputs true. Otherwise, outputs ⊥.
Chatterje et al. [14] proved that the GG-IBS scheme is existentially unforgeable under adaptively chosen identity and message attacks (EUF-ID-CMA) in the random oracle model under the ECDLA. We will use the GG-IBS scheme in our handover authentication scheme to provide mutual authentication between the AP and MN.

Yasmin et al.'s Identity-Based One-Pass Authenticated Key Establishment Protocol
Yasmin et al. [15] proposed a pairing-free, one-pass authenticated key establishment protocol. There are three algorithms in Yasmin et al.'s protocol: Setup, Extract and Key Exchange. The Setup algorithm and Extract algorithm are the same as those in the GG-IBS scheme. Here, we only describe the Key Exchange algorithm as follows. • Alice, the initiator of the protocol, chooses . Then, Alice deletes L and . Finally, Alice sends (L, id A , id B , σ) to the receiver Bob, where σ is Alice's identity-based signature on the ephemeral public key L together with Alice's identity id A and Bob's identity id B .

•
Bob verifies the signature σ using id A and other public parameters. If the signature verification holds, Bob sets the common shared session key K B,A = KDF([sk id B ]L) and deletes L. Otherwise, the protocol terminates here.
The proposed one-pass authenticated key establishment protocol was proved to be secure in the identity-based extended Canetti-Krawczyk (ID-eCK) model [17] in the random oracle model under the ECCDHA [15]. We will use the above algorithm in our proposed handover authentication scheme to establish the common session key between the roaming MN and the target AP.

Cryptanalysis of He et al. PairHand
He et al.'s PairHand consists of four phases: system initialization phase, handover authentication phase, batch authentication phase, and denial-of-service (DoS) attack resistance phase. In the following, we only briefly review the first two phases of the PairHand, and readers may refer to [6] for details.

Review of He et al. PairHand
System Initialization: Given a security parameter κ, the AS first generates an elliptic curve group G 1 of prime order q with a generator P, a cyclic multiplicative group G 2 of same prime order q, an admissible bilinear mapê : q , computes P pub = [s]P, and sets the master secret key msk = s. Finally, the AS publishes the public parameters params = G 1 , G 2 , q,ê, P, P pub , H 3 , H 4 , HMAC .
• AP → MN i : Upon receiving msg i , σ i , the AP firstly checks whether the time-stamp ts is valid. If ts is invalid, the request will be rejected. Otherwise, the AP verifies the signature σ i by checking whether the following equation holds or not: If it holds, the AP further computes K i =ê(H 3 (pid i ), [s]H 3 (id AP )), and generates a message authentication code tag = HMAC(K i , pid i id AP ). Finally, the AP sends the tuple pid i , id AP , tag to MN i.

3.
Upon receiving the response pid i , id AP , tag from the AP, MN i generates a new message authentication code tag = HMAC(K i , pid i id AP ) and compares it with tag. If tag matches tag, then MN i believes the AP is legitimate and has established the shared session key K i . Otherwise, MN i rejects the connection. 4. AP → AS: Finally, the AP securely transmits msg i , σ i to the AS. Upon receiving this message, the AS can find the real identity of MN i according to the pseudo-identity included in msg i .

Cryptanalysis of He et al. PairHand
He et al. [6] claimed that the signature σ i cannot be forged without rigorous security proofs. They soon described a key compromise attack [7] when an adversary obtains a valid signature msg i , σ i : an adversary can compute H 4 (msg i ) −1 mod q according to the extended Euclidean algorithm, and can further recover MN i's private key by computing He et al. [7] mistakenly believed that if H 4 (msg i ) and q are not coprime, then an adversary cannot compute the private key [s]H 3 (pid i ). To remedy the above vulnerability, they suggested the use of composite order bilinear groups instead of prime order bilinear groups, i.e., to fix q to be a composite number n. Obviously, this will result in lower efficiency because computing the pairing itself becomes significantly slower and also the representation of the group elements becomes substantially longer. More seriously, if gcd(H 4 (msg i ), n) = 1, then n is decomposed.
Yeo et al. [8] showed that He et al.'s improved PairHand [7] is still vulnerable to key compromise attack: assume that an adversary gets t > 1 messages and their corresponding signatures using the same MN's private key, i.e., adversary have thus, the adversary can compute γ = H 4 (msg i ) and check whether γ is coprime to n or not. If adversary finds γ is coprime to n for some 1 ≤ j 1 < j 2 ≤ t, then adversary can compute γ −1 [σ and check whether γ is coprime to n or not. The adversary can repeat the procedure for all sub-combinations of H 4 (msg 1 i ), is obtained or all combinations are exhausted. Unfortunately, Yeo et al. [8] did not explain why the improved PairHand is vulnerable to key compromise attack, and give any remedy against it. In fact, if H 4 (msg i ) ∈ Z * n (the probability that a random integer in Z n is not coprime to n is equal to ϕ(n)/(n − 1), where ϕ(n) is the Euler totient function. Obviously, it is not negligible.), then composite number n is decomposed. Otherwise, adversary can compute H 4 (msg i ) −1 mod n from H 4 (msg i ) ∈ Z * n in polynomial time by using the extended Euclidean algorithm. Thus, adversary can obtain MN i's identity-based private key The session key established between the AP and MN i is K i =ê(H 3 (pid j ), H 3 (id AP )) s in both PairHand and improved PairHand, which is fixed for the same pseudo-identity pid j chosen by MN i. This shows that both PairHand and improved PairHand can not achieve forward secrecy. In addition, these pseudo-identities, instead of the MN's real identity, are used in handover authentication phase for the purpose of privacy protection. Obviously, the AS can link MN i's pseudonyms with its real identity because MN i's pseudonyms are generated by the AS.

Our Proposed Handover Authentication Scheme
Our proposed handover authentication scheme also consists of four phases: system initialization phase, handover authentication phase, batch authentication phase and DoS attack resistance phase. In order to defend against DoS attack, the method in [6] can be adopted in our scheme. Therefore, we only briefly review the other three phases as follows.
System Initialization: Given a security parameter κ, the AS first generates an elliptic curve group G 1 of prime order q with a generator P. Then, the AS chooses s $ ← − Z * q and computes P pub = [s]P. Finally, the AS sets the master secret key msk = s, and publishes the master public key mpk = G 1 , q, P, P pub , H 1 , H 2 , H 3 , KDF .

•
As shown in Figure 2, the AP registration phase is invoked whenever an AP, say j, registers to the AS. AP j picks an identity id AP j $ ← − {0, 1} * , and sends id AP j to the AS. Upon receiving the private key request from AP j, the AS first chooses r AP j $ ← − Z * q , computes R AP j = [r AP j ]P, c AP j = H 1 (id AP j , R AP j ), and sk AP j = r AP j + c AP j s mod q. Then, the AS sends (sk AP j , R AP j ) to the AP j via a secure channel. Upon receiving the response message from the AS, the AP j computes c AP j = H 1 (id AP j , R AP j ) and checks the following equation: If it holds, the AP j stores the tuple (id AP j , sk AP j , R AP j ).
If it holds, MN i computes sk MN i = s MN i + α MN i mod q, and obtains MN i's identity-based signing private key sk MN i and public key R MN i , which is actually a blind signature that has been signed by the AS for the unknown pseudonym pid MN i .
Notice that the MN i can choose a family of unlinkable pseudo-identities pid and get the corresponding identity-based signing private keys sk Thus, the MN i can constantly change its pseudo-ID to achieve identity privacy and location privacy in the handover authentication phase. Handover Authentication: When a roaming MN moves out of the coverage of current associated AP, it should handover to a new AP. Assume each AP periodically broadcasts a beacon message, which includes the AP's certificate together with other necessary network information. The AP's certificate contains (id AP , R AP ), signed by a trusted certificate authority, and the certificate cannot be impersonated. If a roaming MN i chooses a target AP j, firstly, MN i verifies AP j's certificate to make sure the validity of (id AP , R AP ). Only if validation is successful, MN i enters into the handover authentication phase. The detailed description of this phase are as follows, and Figure 4 further illustrates this phase.

1.
MN i → AP j : MN i with a tuple of pseudo-identity and private key ( ). Finally, MN i sends the handover authentication request msg i,j , σ i,j to the target AP j.

2.
AP j → MN i : Upon receiving the handover authentication request msg i,j , σ i,j from an MN i, the target AP j checks the time-stamp ts. If ts is fresh, the AP computes the AP j is able to verify the signature by checking the following equation: If the above equation does not hold, it implies the message may not sent by a valid MN. Hence, the protocol is terminated at this stage. Otherwise, the AP j accepts the message. Finally, the AP j computes the symmetric session key K j,i = KDF([sk AP j ]L i,j ) using its own private key sk AP j . It is easy to see that if the two parties successfully complete matching sessions, they both compute the same session key: Batch Verification: A mass of signature verifications is likely to cause the potential bottleneck at each AP. It is a desirable feature to provide batch verification to solve the problem, which allows an AP to verify multiple signatures simultaneously. Its advantage lies in that the total computation cost in the verification performed by an AP can be apparently reduced.
Our proposed scheme still enjoys the batch verification feature. Assume that an AP j receives n distinct handover authentication request from n distinct MNs, which are denoted as msg 1,j , σ 1,j , msg 2,j , σ 2,j , . . ., msg n,j , σ n,j , respectively. Instead of verifying each individual signature separately, AP j can verify these n signatures simultaneously by checking the following batch verification criterion: It is obvious that, in order to verify these n signatures according to the batch verification criterion, AP j requires n + 2 scalar multiplication over elliptic curve group G 1 . However, if AP j verifies each individual signature separately, it requires 3n scalar multiplication over elliptic curve group G 1 .

Security and Efficiency Analysis
In this section, we give security and efficiency analysis of our proposed handover authentication scheme. Theorem 1. The proposed handover authentication scheme is ID-eCK secure authenticated key establishment protocol under the ECCDHA in the random oracle model.

Proof.
In the handover authentication phase, the roaming MN and the target AP actually perform Yasmin et al.'s one-pass identity-based authenticated key establishment protocol [15], which is proved to be ID-eCK secure under the elliptic curve computational Diffie-Hellman assumption in the random oracle model.
In the following, we provide an informal discussion on security properties that are satisfied by our proposed handover authentication scheme.
• MN's Anonymity and Untraceability: In existing handover authentication schemes using identity-based signature schemes, to guarantee MN's privacy, the AS chooses a family of pseudo-identities and generates associated private keys for each MN. Undoubtedly, the AS knows the relationship between each MN's pseudonyms and real identity. More seriously, the AS knows MN's private keys, this is known as the key escrow problem in identity-based cryptography. In our proposed scheme, each MN can choose a family of pseudonyms and and obtain associated private keys by running Pointcheval and Stern's blind signature scheme with the AS in the registration phase. Although the handover authentication request messages must include a pseudonym of the roaming MN; however, there is no linkage between these pseudonyms, anyone, even the AS, does not know the MN's private keys, is unable to identify the MN or to link two sessions initiated by the same MN (i.e., trace the movement routes of the MN). Thus, our proposed handover authentication scheme is escrow-free and achieves MN's anonymity and untraceability. • MN's Key Compromise Security: In the handover authentication phase, the access request sent by MN i to AP j is actually a signature that generated by MN i with its signing private key on the message msg i,j = pid MN i id AP j ts, which is used to prove to AP j that MN i is the private key holer corresponding to the pseudonym pid MN i . Here, we use the GG-IBS scheme. One reason for this is its efficiency and simplicity, and another more important reason is that it has been proved to be EUF Next, we compared our proposed handover authentication scheme with other existing handover authentication schemes [7,[9][10][11][12] in terms of security, communication round, computation cost and bandwidth requirement. The results of this comparison are shown in Table 2 below.
For security, our proposed scheme is key escrow-free and achieves anonymity and untraceability for MNs, while schemes in [7,[9][10][11][12] have an inherent drawback of key escrow problem, and can only provide weak anonymity and untraceability for MNs. He et al.'s scheme [7] is vulnerable to key compromise attack for MNs, while schemes in [9][10][11][12] and ours can resist the attack. Schemes in [11,12] and ours enjoy forward secrecy for MNs, while schemes in [7,9,10] do not.
Reducing communication cost is extremely important in wireless networks, Barr and Asanovi [18] pointed out wireless transmission of a bit can require over 1000 times more energy than a single 32-bit computation. To establish a shared session key between MN and AP, there are two message transmissions in existing handover authentication schemes [7,[9][10][11][12], while there is only one message transmission in our proposed scheme.
For computational cost, we focus on the time spent on the high cost operations, such as the time (T bp ) spent on the bilinear pairing operations over G 1 × G 1 , the time (T sm ) spent on the scalar multiplications over the elliptic curve group G 1 , while the time spent on highly efficient operations, such as the hash function and key derivation function, is neglected. Both MN and AP need to perform complicated bilinear pairings in [7,9,10], while there is no bilinear pairing operation in [11,12] and our proposed scheme. Moreover, both Li et al.'s scheme [11] and Chaudhry et al.'s scheme [12] do not enjoy batch verification function, but our proposed scheme does.
To evaluate bandwidth requirement, we assume that the size of a time-stamp, the length of the pseudo identity of MNs and the identity of APs are 32 bits, 128 bits, and 128 bits, respectively. It is well known that 3072-bit RSA keys are equivalent in strength to 128-bit symmetric keys and 256-bit elliptic curve cryptography keys. To provide 128-bit security, one can choose 256-bit prime order elliptic curve group G 1 in [9][10][11][12] and our proposed scheme, while one needs to choose 3072-bit prime order elliptic curve group G 1 in [7]. In [7], the authentication request packet consists of MN's pseudo identity, AP's identity, time-stamp and one element in G 1 , and the authentication response packet consists of MN's pseudo identity, AP's identity, and one element in Z * q . The total communication cost of He et al.'s scheme is 3872 bits. In [9], the authentication request packet consists of MN's pseudo identity, AP's identity, time-stamp and two elements in G 1 , and the authentication response packet consists of MN's pseudo identity, AP's identity, one element in Z * q . The total communication cost of Tsai et al.'s scheme is 1312 bits. In [10], the authentication request packet consists of MN's pseudo identity, AP's identity, time-stamp and two elements in G 1 , and the authentication response packet consists of MN's pseudo identity, AP's identity, and one element in Z * q . The total communication cost of Wang et al.'s scheme is 1312 bits. In [11], the authentication request packet consists of MN's pseudo identity, AP's identity, time-stamp, three elements in G 1 and one element in Z * q , and the authentication response packet consists of MN's pseudo identity, AP's identity, one element in G 1 and one element in Z * q . The total communication cost of Li et al.'s scheme is 2080 bits. In [12], the authentication request packet consists of MN's pseudo identity, AP's identity, time-stamp, two elements in G 1 and one element in Z * q , and the authentication response packet consists of MN's pseudo identity, AP's identity, one element in G 1 and one element in Z * q . The total communication cost of Chaudhry et al.'s scheme is 1824 bits. In our proposed scheme, the authentication request packet consists of MN's pseudo identity, AP's identity, time-stamp, three elements in G 1 and one element in Z * q , and the total communication cost of our proposed scheme is 1312 bits.

Conclusions
A fast handover authentication scheme is essential to seamless services for delay sensitive applications in wireless networks. At the same time, data security and user privacy have become increasingly important in mobile computing, particularly in the context of handover authentication schemes as they relate to users' credential information. In this paper, we first show that He et al.'s handover authentication scheme does not meet the main security properties: key compromise security, forward secrecy, escrow-free and strong anonymity for mobile nodes. Then, we propose a new secure and efficient handover authentication scheme using elliptic curve cryptography. Not only does the proposed scheme satisfy all the essential security requirements for handover authentication schemes, but it also achieves forward secrecy, escrow-free and strong anonymity for mobile nodes. The proposed scheme is provably secure under the elliptic curve computational Diffie-Hellman assumption in the random oracle model and outperforms previously reported schemes in terms of computation and communication overhead. There is only one message transmission between a roaming mobile node and the target access point in our proposed scheme, while there are at least two message transmissions between a roaming mobile node and the target access point in other existing schemes. To achieve better performance, it is a desirable feature to provide batch verification where the target access point can verify the correctness of multiple received messages simultaneously. Unfortunately, all previous handover authentication schemes either support batch verification but require complicated bilinear pairing operations, or do not support batch verification but do not require bilinear pairing operations. There is no complicated bilinear pairing operation, and batch verification is also supported in our proposed scheme. Therefore, our proposed scheme is well suited for implementing secure communication in wireless networks. Thus far, all of the existing handover authentication schemes are proved to be secure in the random oracle model. However, Canetti et al. showed that some cryptographic schemes that are provably secure in the random oracle model are completely insecure when the random oracle is instantiated with any function family. It is interesting to design new efficient handover authentication schemes that are provably secure in the standard model.